public static function moveApplications() { RecruiterController::requireLogin(); global $params; $selected = MongoIdArray($params['selected']); $to = $params['to']; $recruiterId = $_SESSION['_id']; // Make sure all selected are owned. foreach ($selected as $applicationId) { if (!ApplicationModel::isOwned($recruiterId, $applicationId)) { echo toJSON(['error' => 'permission denied']); return; } } // Mark new status. foreach ($selected as $applicationId) { ApplicationStudent::changeStatus($applicationId, $to); } return self::ajaxSuccess(); }